A security researcher has discovered an undocumented backdoor in multiple Tenda firmware versions that provides attackers with administrative access to a device’s web management interface.

The security hole appears to affect Tenda routers, switches, and other types of networking devices.

Tracked as CVE-2026-11405, the vulnerable code was found in the login function of the web server binary and can be abused for authentication bypass, warns the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

The issue exists because, when authentication fails, the login mechanism attempts to retrieve a password value stored in the device’s configuration.

Next, the mechanism checks only the user-supplied password against the value stored in the configuration, in plaintext, and grants administrative access upon a successful match.